Microsoft Advanced Group Policy Management (AGPM) 3.0 has been RTMd – and why you should care

The Microsoft Group Policy Team Blog has announced that Microsoft Advanced Group Policy Management (AGPM) 3.0 has been RTM’d.

Advanced Group Policy Management (AGPM) helps you better manage Group Policy objects (GPOs) in your environment by providing change control, offline editing, and role-based delegation. AGPM is a key component of the Microsoft Desktop Optimization Pack (MDOP). 

It helps customers overcome challenges that affect Group Policy management in any organization, particularly those with complex information technology (IT) environments. A robust delegation model, role-based administration, and change-request approval provide granular administrative control. For example, you can delegate Reviewer, Editor, and Approver roles to other administrators — even administrators who do not have access to production GPOs. The Editor role can edit GPOs but not deploy them; the Approver role can deploy GPO changes. AGPM also helps reduce the risk of widespread failures.

You can use AGPM to edit GPOs offline, outside of the production environment, and then audit changes and easily find differences between GPO versions. In addition, AGPM supports effective change control by providing version tracking, history capture, and quick rollback of deployed GPO changes. It also supports a management workflow by allowing you to create GPO template libraries and send GPO change e-mail notifications.

AGPM has a server component and a client component, each of which you install separately. First, you install the Group Policy Management Console (GPMC) and the server component on a server system that has access to the policies you want to manage. Then, you install GPMC and the AGPM client on any computer from which administrators will review, edit, and deploy policies. You can run the client on Windows Vista or Windows Server 2003.

The AGPM client integrates completely with GPMC. Administrators review, edit, and deploy GPOs within each domain’s Change Control folder. The GPOs you see in the Group Policy objects list on the Controlled tab are stored in the AGPM server’s archive. Changes made to these GPOs don’t affect the production environment until administrators with the Approver role deploy the GPOs to production.

AGPM provides advanced change control features that help you manage and control GPOs. Many of the AGPM change control concepts are already familiar to administrators with experience using common version-control tools, such as the version control feature in Microsoft Windows SharePoint Services. The steps necessary to change and deploy a GPO are as follows:

  1. Check out the GPO from the archive.
  2. Edit the GPO as necessary.
  3. Check in the GPO to the archive.
  4. Deploy the GPO to production.

Change control is more than checking files in and out of the archive, though. AGPM keeps a history of changes for each GPO. You can deploy any version of a GPO to production, so you can quickly roll back a GPO to an earlier version if you need to. AGPM can compare different versions of a GPO, and show settings that were added, changed, or deleted. This way, you can easily review changes before approving and deploying them to the production environment.

Group Policy already provides a rich delegation model. It allows you to delegate administration to regional and task-oriented administrators. It also, however, lets administrators approve their own changes. In contrast, AGPM provides a role-based delegation model that adds a review and approval step to the workflow.

To support this delegation model, AGPM defines three special roles:

  • Reviewer. Administrators assigned to the Reviewer role can view and compare GPOs. They cannot edit or deploy them.
  • Editor. Administrators assigned to the Editor role can view and compare GPOs. They can check out GPOs from the archive, edit them, and check them in to the archive. They can also request deployment of a GPO.
  • Approver. Administrators assigned to the Approver role can approve the creation and deployment of GPOs. (When administrators assigned to the Approver role create or deploy a GPO, approval is automatic.)

You can assign administrators and groups to these roles for all controlled GPOs within the domain. For example, you can assign administrators globally to the Reviewer role, which allows them to review any controlled GPO in the domain. You can also assign administrators to these roles for individual controlled GPOs. Rather than allow administrators to edit any controlled GPO in the domain, for example, you can give them specific permission to edit individual controlled GPOs by assigning to them the Editor role for those GPOs only.

See the Advanced Group Policy Management Training Guide at for additional details on what’s forthcoming.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: